Last modified: 2014-10-24 16:34:30 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T64795, the corresponding Phabricator task for complete and up-to-date bug report information.

Bug 62795 - Configure all deployment-prep instances to use local salt and puppet master by default


Summary:	Configure all deployment-prep instances to use local salt and puppet master b...

Status:	NEW

Product:	Wikimedia Labs
Classification:	Unclassified
Component:	deployment-prep (beta) (Other open bugs)
Version:	unspecified
Hardware:	All All

Importance:	High normal
Target Milestone:	---
Assigned To:	Nobody - You can work on this!

URL:
Whiteboard:
Keywords:

Depends on:	64010
Blocks:
	Show dependency tree / graph

Reported:	2014-03-18 17:24 UTC by Bryan Davis
Modified:	2014-10-24 16:34 UTC (History)
CC List:	6 users (show)

See Also:
Web browser:	---
Mobile Platform:	---
Assignee Huggle Beta Tester:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Bryan Davis 2014-03-18 17:24:12 UTC

Find a way to make all new instances created in the deployment-prep project point to the puppet and salt masters on the deployment-salt instance by default.

This would entail adding the role::puppet::self and setting these global puppet variables:

deployment_server_override:
  deployment-bastion.eqiad.wmflabs

salt_master_finger_override:
  dd:d8:68:70:8c:65:a3:af:46:5c:3f:4f:d4:be:6c:71

salt_master_finger_override:
  deployment-salt.eqiad.wmflabs

puppetmaster:
  deployment-salt.eqiad.wmflabs

Comment 1 Bryan Davis 2014-03-18 21:52:41 UTC

SMW query to see how eqiad hosts are configured: https://wikitech.wikimedia.org/w/index.php?title=Special%3AAsk&q=%5B%5BResource+Type%3A%3Ainstance%5D%5D%0D%0A%5B%5BProject%3A%3Adeployment-prep%5D%5D%0D%0A%5B%5BRegion%3A%3Aeqiad%5D%5D&po=%3FPuppet+Var%0D%0A&eq=yes&p%5Bformat%5D=broadtable&sort%5B0%5D=Modification+date&order%5B0%5D=DESC&sort_num=&order_num=ASC&p%5Blimit%5D=200&p%5Boffset%5D=&p%5Blink%5D=all&p%5Bsort%5D=Modification+date&p%5Bheaders%5D=show&p%5Bmainlabel%5D=Instance&p%5Bintro%5D=&p%5Boutro%5D=&p%5Bsearchlabel%5D=%E2%80%A6+further+results&p%5Bdefault%5D=&p%5Bclass%5D=sortable+wikitable+smwtable&eq=yes

Comment 2 Antoine "hashar" Musso (WMF) 2014-03-19 15:33:46 UTC

Should we set those parameters directly in the puppet manifests?  This way whenever an instance is created it will be configured to point to that puppet master.

Maybe just after manifests/realm.pp

Comment 3 Bryan Davis 2014-03-19 17:06:24 UTC

For now, manual instructions on configuring a host are given at https://wikitech.wikimedia.org/wiki/Nova_Resource:Deployment-prep/How_code_is_updated#Converting_a_host_to_use_local_puppetmaster_and_salt_master

Comment 4 Antoine "hashar" Musso (WMF) 2014-10-24 14:22:38 UTC

We still need to have to set the configuration manually.   Pointing to the local puppet seems easy enough, I am not sure how we could automatically sign the puppet/salt keys though :(

Comment 5 Bryan Davis 2014-10-24 16:34:30 UTC

Both salt <http://docs.saltstack.com/en/latest/ref/configuration/master.html#auto-accept> and puppet <https://docs.puppetlabs.com/puppet/latest/reference/ssl_autosign.html> can be configured to automatically sign keys. I personally don't see that there would be an sort of serious security implications of making this work within the beta cluster.

Yuvi and Giuseppe are working on integrating wikitech and hiera in such a way that it should be possible to setup per-project configuration that can automate adding the proper roles and settings to all hosts in the deployment-prep project. The trickiest part will probably be trying to find a way to automate removing the salt key for the labs wide master so that the project specific master's key can be saved on each host.

Wikimedia Bugzilla is closed!

Search

Personal tools

Navigation

Links